Share via

Unable to create an IKEv1 IPSec vpn with an Azure VPN using Basic SKU

Daniele Albano 0 Reputation points
2025-02-11T18:15:32.5666667+00:00

Hey there,

I am trying to create an IKEv1 VPN to connect an old firewall - or at least try - to an Azure VPN. I can't use IKEv2 as the firewall fails to maintain the tunnel established with a "unknown message" error (most likely caused by the software in use as it's from 2018).

After checking out the documentation and various PowerShell examples, I was able to create a Virtual Network Gateway with a Basic SKU, of course using a Public IP with a basic SKU as well, within a resource group without any other Virtual Network Gateway (as seems to be a requirement) and with a VNet with the necessary subnet.

I have also created the Local Network Gateway as needed.

Everything up to this point (resources creation) seems to work fine but when I try to add the IKEv1 connection via the Azure Portal using the created resources I get the following error

{
    "status": "Failed",
    "error": {
        "code": "InvalidConnectionProtocol",
        "message": "Invalid ConnectionProtocol IKEv1 specified for gateway /subscriptions/XYZXYZXY-0000-1111-2222-333333333333/resourceGroups/RG/providers/Microsoft.Network/virtualNetworkGateways/OfficeVpnVirtualNetworkGatewayIKEv1",
        "details": []
    }
}

I am not entirely sure what the culprit is here as the error is too generic and I have recreated everything from scratch to be sure it's not just a transient error.

Also, searching on Bing or Google is not too helpful because of the generic error.

Any idea of what might be causing this issue?

EDIT

For instance, even using the example commands from the documentation, with some extra commands to create the local network gateway and the connection, lead to the same result

$MyPublicIP = "1.2.3.4"
$MyAddressPrefix = "1.2.3.4/24"

New-AzResourceGroup -Name TestRG1 -Location EastUS
$virtualnetwork = New-AzVirtualNetwork -ResourceGroupName TestRG1 -Location EastUS -Name VNet1 -AddressPrefix 10.1.0.0/16
$subnetConfig = Add-AzVirtualNetworkSubnetConfig -Name Frontend -AddressPrefix 10.1.0.0/24 -VirtualNetwork $virtualnetwork
$virtualnetwork | Set-AzVirtualNetwork
$vnet = Get-AzVirtualNetwork -ResourceGroupName TestRG1 -Name VNet1
Add-AzVirtualNetworkSubnetConfig -Name 'GatewaySubnet' -AddressPrefix 10.1.255.0/27 -VirtualNetwork $vnet
$vnet | Set-AzVirtualNetwork
$gwpip = New-AzPublicIpAddress -Name "VNet1GWIP" -ResourceGroupName "TestRG1" -Location "EastUS" -AllocationMethod Dynamic -Sku Basic
$vnet = Get-AzVirtualNetwork -Name VNet1 -ResourceGroupName TestRG1
$subnet = Get-AzVirtualNetworkSubnetConfig -Name 'GatewaySubnet' -VirtualNetwork $vnet
$gwipconfig = New-AzVirtualNetworkGatewayIpConfig -Name gwipconfig -SubnetId $subnet.Id -PublicIpAddressId $gwpip.Id
New-AzVirtualNetworkGateway -Name VNet1GW -ResourceGroupName TestRG1 -Location "East US" -IpConfigurations $gwipconfig -GatewayType "Vpn" -VpnType "RouteBased" -GatewaySku Basic
$vnetgw = Get-AzVirtualNetworkGateway -Name VNet1GW -ResourceGroupName TestRG1                                      
New-AzLocalNetworkGateway -Name TestLocalGW -ResourceGroupName TestRG1 -Location "East US" -GatewayIpAddress $MyPublicIP -AddressPrefix $MyAddressPrefix
$localgw = Get-AzLocalNetworkGateway -Name TestLocalGW -ResourceGroupName TestRG1
New-AzVirtualNetworkGatewayConnection -Name TestLocalNGConnection -ResourceGroupName TestRG1 -Location "East US" -VirtualNetworkGateway1 $vnetgw -LocalNetworkGateway2 $localgw -ConnectionProtocol IKEv1 -ConnectionType IPsec 

ERROR:
New-AzVirtualNetworkGatewayConnection: Invalid ConnectionProtocol IKEv1 specified for gateway /subscriptions/1a1e927f-863f-43db-8070-9b12584e4533/resourceGroups/TestRG1/providers/Microsoft.Network/virtualNetworkGateways/VNet1GW
StatusCode: 400
ReasonPhrase: Bad Request
ErrorCode: InvalidConnectionProtocol
ErrorMessage: Invalid ConnectionProtocol IKEv1 specified for gateway /subscriptions/1a1e927f-863f-43db-8070-9b12584e4533/resourceGroups/TestRG1/providers/Microsoft.Network/virtualNetworkGateways/VNet1GW
OperationID : 8fb96e74-1870-4f38-9a75-731c19afaf02

Creating the Local Network Gateway and the Connection manually via the Portal or via PowerShell doesn't lead to different results.

Azure VPN Gateway
Azure VPN Gateway
An Azure service that enables the connection of on-premises networks to Azure through site-to-site virtual private networks.
1,650 questions
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Rohith Vinnakota 2,720 Reputation points Microsoft Vendor
    2025-02-11T21:01:27.74+00:00

    Hi @Daniele Albano,

    Welcome to Microsoft Q&A Platform. Thank you for reaching out & hope you are doing well.

    I did a lab in my environment and also got the same issue.

        "status": "Failed",
    "error": {
        "code": "InvalidConnectionProtocol",
        "message": "Invalid ConnectionProtocol IKEv1 specified for gateway /subscriptions/xxxxxxx-b3ff-xxxx-afe6-e7dca4xxxxdd/resourceGroups/TestRG1/providers/Microsoft.Network/virtualNetworkGateways/VNet1GW",
        "details": []
    }

    According to the documentation, IKv1 is not supported in the Basic SKU.

    User's image

    Refer this link for more details:

    https://learn.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-about-compliance-crypto?form=MG0AV3#about-ikev1-and-ikev2-for-azure-vpn-connections

    I changed IKv1 to IKv2 and successfully configured it.

    User's image

    I hope this has been helpful!

    Your feedback is important so please take a moment to accept answers. If you still have questions, pleaslet us know what is needed in the comments so the question can be answered. Thank you for helping to improve Microsoft Q&A!

    Please accept an answer if correct. Original posters help the community find answers faster by identifying the correct answer. Here is how.

    1 person found this answer helpful.

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.